Tag Group

Tags that are determined by Palo Alto Network’s threat research team, Unit 42, to have connections to other specific tags are grouped accordingly. These connections can be based on the genre of the malware family, the attack campaigns they are associated with, and by malware design. If your organization has private tags that are related to a tag group, you can add them to a group editing the private tag settings.
You can view the individual tag groups by clicking on the
Groups
tab on the
Tag
page. You can also perform searches based on the name of a tag group.
tag-group-list.png
Tag Group
Description
Ransomware
Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access.
MobileMalware
Mobile malware is malicious software that targets mobile phones by causing loss or leakage of confidential information. This group encompasses all mobile malware, such as Android malware.
PotentiallyUnwanted Program
PUPs (Potentially Unwanted Programs) are programs that may include adware, advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs are often bundled with other software that you install.
Worm
A computer worm is a standalone malware family that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures to propagate across networks.
PointofSale
Point of Sale (POS) malware targets payment terminals with the intent to obtain credit card and/or debit card information.
BankingTrojan
Banking Trojans are a type of malware frequently used to steal sensitive information such as banking credentials. To do so, attackers normally inject malicious code into a website or a device; the code is frequently delivered through phishing emails.
ExploitKit
An exploit kit is a utility program that attackers use to launch exploits against vulnerable applications. Usually done on a mass scale, exploit kits are often leveraged to distribute additional malware. Exploit kits are commonly packaged with exploits that target commonly installed software like Adobe Flash, Java, etc.
Cryptominer
Cryptominer hides on computers or mobile devices to surreptitiously use the machine’s resources to mine cryptocurrencies.
Rootkit
A rootkit is malware that is designed to infect a target machine and allow an attacker to install a set of tools that grant the attacker persistent remote access to the computer. The malware typically hides deep within the operating system, firmware, and/or driver suite and can evade detection by anti-malware applications and other security tools.
RemoteAccessTrojan
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim machine. Often packaged to imitate legitimate applications, Remote Access Trojans can mimic behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat logs, etc.
Wiper
The sole intention of the Wiper malware is to destroy data on the target machine. Unlike other attacks like ransomware, which often seeks financial gain, wipers are typically employed to destroy data and cover the attacker's tracks.
Backdoor
The dropping (or downloading) of a backdoor is often the second stage of an attack, where the first stage is the infiltration of the dropper or downloader. The final stage is gaining full control of the affected system and leveraging of a backdoor. In many cases, a backdoor is a payload as the attacker can build out their command and control infrastructure once it is functioning.
OSXMalware
Malware that specifically relates to Apple's OSX operating system.This group includes viruses, trojans, worms, and other types of malware that affect the Apple OSX environment.
LinuxMalware
Includes viruses, trojans, worms and other types of malware that affect the Linux operating system.
HackingTool
Hacking tools are commonly leveraged by attackers to infect, maintain, administer victim machines, and/or perform denial of service attacks. Some examples of hacking tools are Metasploit and Cobalt Strike. Hacking tools can also include administration tools that can be benign or malicious, like Microsoft's PSEXEC or Netcat.
SCADA
SCADA specific malware is designed to compromise SCADA systems by degrading system functionality. This includes malware affecting PLC logic to malware designed to compromise vulnerabilities in HMI software.
Downloader
This type of malware secretly downloads malicious files from a remote server, then installs and executes the files.
Dropper
A dropper is a type of Trojan that has been designed to install malware (virus, backdoor, etc.) onto a target system. A dropper is often considered one of the first stages of a compromise, since droppers typically deploy a second stage payload or tool.
FileInfector
File infector malware propagates malicious files on to other systems, removable devices, and networks. To do this routine, they seek out and copy their malicious code to certain files (.EXE, .DLL, .SYS, and, .HTML, etc).
DDoS
Malware that contains denial of service capabilities.
InternetofThingsMalware
Encompasses and includes malware families and exploits that exhibit behaviors specifically targeting or infecting IoT software, firmware, or devices.
Botnet
A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.
Webshell
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts.
InfoStealer
Infostealers are malicious software programs that gather confidential information from the compromised computer to send it to a predetermined location. This can include information related to the compromised computer, financial data, or user credentials for various web sites.
Keylogger
A keylogger is a function which records keystrokes on a computer.
Loader
Loaders retrieve malicious executables or payloads from an attacker-controlled server.
ATMMalware
ATM malware is malicious software designed to compromise automated teller machines (ATMs) by exploiting vulnerabilities in the machine’s hardware or software. ATM malware is used to commit a crime known as “jackpotting” in which attackers install malware that forces ATMs to dispense large amounts of cash on command.

Recommended For You